Which are more potent: internal threats or external threats? Cybersecurity experts may wage a debate, but at the end of the day, the reality is that both can lead to devastating breaches.
In this series of articles, we’ll be exploring the latter, starting with common, often unknown external risks like domain exposure, brand exposure, and misconfigurations.
The term “domain exposure” includes several areas of potential risk.
When businesses rename their websites or get acquired, they often leave their old domains behind. Expired domains pose significant cybersecurity risks. Keep in mind that when domains expire, they can be picked up by anyone who wishes to purchase them, including malicious actors who might use them in attempts to:
- Steal credit card data from unsuspecting users
- Target email accounts linked to the domain to phish clients
- Steal company data
Typosquatting is a type of cyberattack in which hackers try to create a URL that is as similar as possible to an original URL The more popular and legitimate the original URL, the more successful and potent the typosquatting attack.
Common examples of typosquatting include:
- Typos and Misspellings: Mis-typed addresses of well-known websites. E.g. goigle.com or gooogle.com instead of google.com.
- Wrong domain extensions: Changing the domain extension. E.g. google.co instead of google.com.
- Similar sounding words: If the user isn’t familiar with the website, they may get confused with similar-sounding words. E.g. Using agor.io instead of agar.io.
- Hyphenated domains: Add a hyphen to the domain name. E.g. face-book.co instead of facebook.com.
There are several ways that typosquatters can harm your company:
- Phishing: The typosquatter will make their duplicate site look as legitimate as possible. When a victim lands on the website, they can be asked to hand over their personal details and login credentials.
- Bait and switch: If the typosquatting domain belongs to an e-commerce website, they can lead you to buy a product but never actually send you the item.
- Malware: Attackers may install and infect the victim with malware.
- Pranks: These may be harmless or not so harmless.
- Redirecting traffic: The attacker uses the incoming traffic on their fake site to redirect traffic to competitors.
- Monetize traffic: Attackers may put up ads and popups to generate revenue from incoming traffic, or redirect traffic through an affiliate link, getting paid for each transaction.
- Surveys: The fake site pretends to receive feedback from the victims and phishes personal details from them in the process.
Typosquatting has become such a big issue that large corporations like Apple, Google, and Facebook have either begun registering misspelled domains themselves or getting them blocked by the Internet Corporation for Assigned Names and Numbers (ICANN).
Subdomain takeover happens when one of your subdomains points to a service that has been moved or deleted. There are various methods with which an attacker can leverage this to take over a particular subdomain. Popular scenarios include:
- GitHub takeover: An attacker can probe for possible vulnerabilities when the GitHub page where the subdomain is pointing has been removed or deleted. Once they can detect that, an attacker will set up their own GitHub page and point to the subdomain. By doing so, they will claim that subdomain and carve their way into your ecosystem.
- Amazon S3 takeover: Suppose your company has a subdomain pointing towards some Amazon S3 buckets that are no longer in use. An attacker might be able to use the stale DNS record to own the AWS S3 bucket or the own GitHub page linked to your subdomain. Following that, the attacker can target your users by launching phishing campaigns on your company’s domain. With XSS, adversaries will also be able to steal the user’s cookies.
There are multiple techniques hackers can use to destroy your brand — spreading misinformation, conducting phishing attacks, misusing your product or services, and the like. Data leaks can compromise privacy of your employees, and hackers may use stolen data to impersonate them to exploit your customers. Paste sites might look something like this:
Paste sites are often the locations of choice for hackers to dump these breached accounts for the following reasons:
- Creating a paste site is a straight forward process. You are literally copy-pasting text onto the site.
- It is easy to distribute information through the site.
- The process is entirely anonymous.
It is critical to monitor these paste sites to ensure that employee/executive credentials are not being compromised. As such, an attacker can pick up the credential details from the pastes and impersonate the victim.
Believe it or not, this is just the tip of the iceberg. Have you ever heard of “Collection #1-5?”
If not, picture this: A gigantic file with over 2.2 billion unique usernames and associated passwords collected from breached databases like LinkedIn and Dropbox over the last few years. Hackers are distributing these files on torrents and forums right now as we speak. So, there is a pretty big chance that your employees’ credentials are currently being sold to hackers who are planning a major attack on your company.
Paste sites are often the locations of choice for hackers to dump confidential data because they’re easy to create — a simple copy-paste hence the name — and completely anonymous.
Back in March 2018, someone created a fake profile for Ethereum CEO Vitalik Buterin to scam $20,000 worth of Ethereum cryptocurrency from users.
So many attackers have tried to impersonate Buterin’s online profile that he was forced to add “Non-giver of Ether” to his profile name:
Phishing campaigns may also target users with attackers impersonating your IT staff to leverage the trust they’ve built with customers to exploit them for personal details. Monitoring profiles and communications is critical to shutting them down attacks against users.
A 2020 DivvyCloud report found that, between January 1, 2018, and December 31, 2019, 196 data breaches exposed more than 33 billion records due to misconfigured cloud environments. Breaches cost a staggering $5 trillion.
Inexperienced users, lack of visibility, and a failure to move on from outdated security models have led to a huge spike in cloud misconfigurations. DivvyCloud also noted that 44% of all the issues exposed in 2018 and 2019 were related to Elasticsearch misconfigurations with S3 bucket misconfigurations accounting for 16 percent of all breaches and MongoDB misconfigurations for 12 percent.
Attack Surface Management lets you see what they see
Always-on Attack Surface Intelligence (ASI) from Netenrich continuously crawls your data center and cloud for signs of external vulnerability. ASI complements pen testing, Red Team exercises and other “point in time” approaches by identifying digital risk these approaches might not uncover.
Your team can log in anytime to view dashboards and drill down to resolve the issues described above:
Instead of manually keeping track of your website certificate’s expiration, our dashboard will automate that for you and provide 7- and 14-day warnings to renew.
ASI runs variations of your domain and runs the list through DNS records to check which are active. This accomplishes two things:
- Our clients will get to know the domain names that are duplicating their domain. They can check to see which ones are harmful and warn their consumers accordingly.
- The client will also get to see which one of the domain names they are interested in is active. This will help them be better prepared for potential domain parking.
ASI crawls your organization to detect subdomains in the background.. At the same time, our Knowledge NOW (KNOW) global intel gathers threat intelligence from all over the web to add context about possible risk from subdomains. After cross-referencing the data, Netenrich’s dashboard will prescribe remediation tasks to plug the holes in your attack surface.
Our system continuously crawls forums and searches code repositories throughout the internet to check for possible data leakages. We will also check for unwanted information leaked through popular cloud storage services such as Azure Blob and Amazon S3.
ASI features an API for HaveIBeenPwned that instantly detects if employee email addresses have been compromised. If they have, our platform finds the corresponding passwords and initiates a credential-stuffing sequence to find and check variations against your company’s infra. If we detect a match, we will immediately flag the corresponding account and give you a detailed, contextual report about this potential Achilles heel.
ASI also goes through services such as ssh, rdp, ftp,smb, snmp, and many web applications such as router’s web UI, basic Auth, etc. We check for default credentials, SSL-based authentication, and whether password- or key-based authentication is used.
Misconfigurations and more
More to come on misconfigurations, but to see how ASI organically solves MongoDB and Elasticsearch misconfigurations, check out our use case.
External risks such as domain exposure, brand exposure, and misconfigurations led to 40% of breaches during the past two years. In Part II of this series, we’ll see why 20% of hacking activity focuses on vulnerabilities.